|
it's that time of year, stumbled upon that guy calling in that Outlook is really slow and has been for a while but he's hoping we can finally fix it. I'm the fourth person to get the ticket assigned ... lets... seee.... ah, the season for sharing the joy after all User has had mailbox since start of employment - 1997. There are 159922 unread items in his Inbox and he does not want to remove any. Or mark them read. The unread ones are unread for a reason. These include all messages ever placed in the Sent items box. And drafts. All folders in his mailbox are empty except the inbox, which we can't touch. New folders will throw him for a loop, how will he find anything? He know at what height important messages are on the scroll bar on his screen. Besides the search doesn't work. Poorly even when it was still Notes, probably. Please advise
|
# ? Dec 17, 2018 23:55 |
|
|
# ? Jun 5, 2024 04:33 |
|
150k isn't inherently bad. I'm sure o365 with its generous storage policy will let you accumulate 3x as much. However, digital hoarding on a grand scale should be sent directly to HR and god willing you have a retention policy (with a email archiver) to beat this person with. Because if you do, and grandpa here with the first recorded e-mail ever, and litigation against the company finds out, it you'll be ffffuuuuccckkkeeed.
incoherent fucked around with this message at 01:48 on Dec 18, 2018 |
# ? Dec 18, 2018 01:31 |
|
150k UNREAD messages, that's a lot of unread messages. I've never directly admined exchange, but our architect used to handle our own and he mentioned before that a high amount of unread mail will cause outlook to be slow because it's constantly sending data to/from the exchange server. Maybe something has changed, this was 5-6 years ago, but I doubt it. *edit* or he could have been loving with me so I'd mark all the messages read in outlook, I have something like 200K+ unread on the machine our one client gives us because I never open outlook, all the email gets forwarded by a transport rule to my internal address. MF_James fucked around with this message at 01:42 on Dec 18, 2018 |
# ? Dec 18, 2018 01:36 |
|
If you're off cached mode, then yes it will do a lot of traffic.
|
# ? Dec 18, 2018 01:47 |
|
The Unread items counter in particular has crashed Outlook in the past when it went beyond a certain number, I think. I always use 10.000 as a single good number to remember. Always keep <10.000 items in a folder, always use <10.000 folders in your mailbox. Easy and this user will have to deal with folders because this is going to kill his mailbox if he can't even open it before lunch. He's pretty good about cleaning things up, the entire mailbox is under 10 GB. There's just ... still >20 year old crap in there, migrated and migrated and migrated and migrated... Our archiving appliance is slurping up all mail so even if we just threw his entire mailbox out there would still be a copy with the compliancy people that they'd keep for the amount of time that they do. I'm not worried except that this amount of digital hoarding might point to other issues than a slow computer but hey. Don't we all have a few
|
# ? Dec 18, 2018 03:47 |
|
Old Binsby posted:There are 159922 unread items in his Inbox Print this out and give it to the user: https://support.microsoft.com/en-us/help/2768656/outlook-performance-issues-when-there-are-too-many-items-or-folders-in Take out a highlighter and highlight this part: Outlook 2019, Outlook 2016, Outlook 2013 and Outlook 2010: 100,000 items per folder This person should use professional development funds to get training on email management good practice. The message you need to deliver is that this is Outlook behaving as designed and you cannot fix it. Warning: the user may go and delete 59,923 items and then complain the issue didn't go away, so be prepared to for an excuse for that.
|
# ? Dec 19, 2018 17:18 |
|
NevergirlsOFFICIAL posted:Print this out and give it to the user: if they were that easy to deal with they wouldn’t have had this amount but thanks for the link. I was kind of looking for it, seen that before but couldn’t find it last week. I’ve since learned this is an ancient formerly important dude but he’s not really doing anything any more, he got demoted. Got demoted but kept an office and secretary to keep him from making a big fuss, she said to be gentle and maybe just ignore him until his retirement this summer lol
|
# ? Dec 19, 2018 20:32 |
Old Binsby posted:if they were that easy to deal with they wouldn’t have had this amount but thanks for the link. I was kind of looking for it, seen that before but couldn’t find it last week. I’ve since learned this is an ancient formerly important dude but he’s not really doing anything any more, he got demoted. Got demoted but kept an office and secretary to keep him from making a big fuss, she said to be gentle and maybe just ignore him until his retirement this summer lol We had a guy like this, then did a mail migration, and whopse his continued access to company emails to arrange bridge was not considered accidentally throw on a retention if he's not subject to hold
|
|
# ? Dec 19, 2018 20:42 |
|
Old Binsby posted:it's that time of year, stumbled upon that guy calling in that Outlook is really slow and has been for a while but he's hoping we can finally fix it. I'm the fourth person to get the ticket assigned ... lets... seee.... ah, the season for sharing the joy after all If you have Office 365, utilize archiving. Dump the oldest 75-100k messages into his archive, and have the rest go into his standard mailbox. Should clear up some of his performance issues. But yeah, he needs to just let go of some of his old stuff....
|
# ? Dec 20, 2018 20:11 |
|
https://www.zdnet.com/article/hackers-wipe-us-servers-of-email-provider-vfemail/ I guess their disaster recovery process didnt work lol
|
# ? Feb 13, 2019 03:56 |
|
Yet another data point to justify self hosting dovecot for my enterprise
|
# ? Feb 17, 2019 04:40 |
|
So someone was working from home yesterday and kept trying to add contacts, but then they wouldn't be in his "all contacts" list. Today he gets to the office and they all show up. What on earth can I do to troubleshoot ex post facto?
|
# ? Feb 19, 2019 19:57 |
|
Is there any way to have Exchange completely ignore the From: in an inbound message body and force it to use the real SMTP email address? Like either scrub any "from:" entries from a message body, or overwrite them with the SMTP From header:. Email spoofing is getting ridiculous, and it's bullshit that Outlook does so much to help out attackers by hiding the info the users really need to see. SPF is useless against these kind of spoofed messages since the attackers aren't forging From: in the actual headers, just the "friendly name." Yeah this customer's lovely Barracuda spam appliance really should stop an email with a malicious attachment where the body is something like "Here's a totally legitimate invoice," but if Outlook would show the real sender's email, even the C-levels might realize it's a phishing message. I certainly can't train a 70 year old bank president to open a message and analyze the headers. Why isn't there a big outcry in the industry about the way email clients hide vital security information from users?
|
# ? Feb 27, 2019 20:47 |
|
Because users can't be trusted to do anything with information. Use DMARC. Use whatever Barracuda's version of Impersonation Protection is.
|
# ? Feb 27, 2019 21:28 |
|
Is DMARC kinda like spf where it's ineffective if the sender doesn't have it implemented, or does it somehow cover senders that don't have a DKIM record? Do enough email hosts implement DMARC to where it's reasonable to ding their SCL score over not having it? The sender in question is using godaddy's email servers, apparently, and has an SPF record, but the spam senders are sending from other email addresses/servers.
|
# ? Feb 28, 2019 00:29 |
|
It is like SPF where if the other side does not have it set up you cannot leverage it. That is where something like Mimecast's Impersonation Protection comes into play.
|
# ? Feb 28, 2019 00:35 |
|
The barracuda analogs to Impersonation Protection are only available in the cloud services. If you have a box (like I do and Cheech Marinade) you can use the CPL layer, which is a free "light" cloud based scanning which gives you basic link protection. But to get the goodies of Impersonation protection you have to pay out for the cloud subscription https://www.barracuda.com/products/sentinel
|
# ? Feb 28, 2019 01:26 |
|
I've created a shared mailbox in our on-prem Exchange, and granted access to the required users. One of them would like to add it to their mobile phone (I'm guessing iPhone) and has asked me what the password is. Since it's a shared mailbox, by default it doesn't have a password. Can it be added to a mobile mail app without one? I've Googled but all I've found so far has said to enter the password.
|
# ? Mar 27, 2019 06:03 |
|
in O365 this is done by adding the mailbox and authenticating but using your personal credentials. On prem I think you have to gently caress around a little, probably IMAP supports authentication using personal credentials to the shared mailbox. But not the default Exchange connection via ActiveSync. It can be done through EWS, which supplanted activesync and is the reason it works in O365 iirc. Enabling the shared mailbox user account is done sometimes but it’s a worse idea than IMAP even, imo
|
# ? Mar 27, 2019 14:40 |
|
I've enabled other shared mailboxes' accounts before, but that was so another set of users could login to it via OWA to set autoreplies. Still, if that's what needs to be done, so be it.
|
# ? Mar 27, 2019 15:01 |
|
TITTIEKISSER69 posted:I've enabled other shared mailboxes' accounts before, but that was so another set of users could login to it via OWA to set autoreplies. Still, if that's what needs to be done, so be it. the feature specifically for users to open their own OWA and edit the autoreply of another mailbox is supported on prem if they’re given full access, just fyi
|
# ? Mar 27, 2019 15:08 |
|
Interesting! I'll test that next time the need comes along.
|
# ? Mar 27, 2019 15:40 |
|
Okay folks, one of my teams has turn into a problem which we haven't found an resolution to yet. Here is the scenario... 1: A user gets phished who is privileged in 0365. The account is made a delegate to a sensitive mailbox. That user account is then used to read email in that inbox. 2: Search-MailboxAuditLog shows these actions. It however only shows the mail messages being accessed by messageid. For the life of me, my team and I can't figure how in the hell to query office 365 to match up the messageid's to emails to know exactly what was read (or shown to be read) by the logs. You would figure that a content search would be useful, but alas messageid is not a defined parameter in the search (wtf?). Message trace works, but it only goes back so far and if the email is an old one it won't show up there. Some of my top leaders want to know which specific email was read and is pushing pretty hard. I explained that its better to assume that an entire offline copy was cached and all email should be considered read in the mailbox at this point, but I was overruled. I should be able to search a loving office 365 mailbox by message id! Help!
|
# ? Apr 22, 2019 15:16 |
|
I think you were pretty much on the right track, if you do a delegate/admin search on that mailbox for the action messagebind (ie reading a message) you should get a true unique ID like Identity (?) besides message id, did you use --ShowDetails? I hate that it's a switch but it definitely should improve the results for you if you didnt before. Swap out -Mailboxes for -Identity, if you were using the mailboxes parameter because it's not compatible for some reason.
|
# ? Apr 22, 2019 16:04 |
|
Old Binsby posted:I think you were pretty much on the right track, if you do a delegate/admin search on that mailbox for the action messagebind (ie reading a message) you should get a true unique ID like Identity (?) besides message id, did you use --ShowDetails? I hate that it's a switch but it definitely should improve the results for you if you didnt before. Swap out -Mailboxes for -Identity, if you were using the mailboxes parameter because it's not compatible for some reason. Messagebind is retired I think. We definitely are using -showdetails and -Identity in my searches and for email messages the subject lines are showing up blank in the auditlog search but contains messageid's. If subject lines were included in the audit log I wouldn't be in this position. I don't understand the point of putting messageid's in an audit log but not giving you a way to search for them.
|
# ? Apr 22, 2019 16:12 |
|
eh you're right. Searching for the MailItemsAccessed operation is the replacement. That also yields blank subject line entries in the output?
|
# ? Apr 22, 2019 16:17 |
|
Nothing like a mass mailbox migration to a new exchange server filling up your log volume and dismounting all production DBs. Cheech Marinade posted:Is there any way to have Exchange completely ignore the From: in an inbound message body and force it to use the real SMTP email address? Like either scrub any "from:" entries from a message body, or overwrite them with the SMTP From header:. Email spoofing is getting ridiculous, and it's bullshit that Outlook does so much to help out attackers by hiding the info the users really need to see. SPF is useless against these kind of spoofed messages since the attackers aren't forging From: in the actual headers, just the "friendly name." Please enable either your exchange server or the barracuda appliance to put the giant "HEY THIS IS EXTERNAL PLEASE BE CAUTIOUS WHEN OPENING ATTACHMENTS" banner and you should also have spoof protection turned on for all domains in the CPL and at the Appliance level. Barracuda ESGs are pretty drat good honestly. Make sure all your ATP definitions are set to auto-update and make sure that attachment scanning is enabled for inbound email. If the customer isn't paying for an ATP subscription tell them to invest in one and set up a CCP/CPL for their ESG and domains. The biggest spam/phishing related problems I have these days are from spammers using legitimate email servers with proper certificates and mail records. I get poo poo from compromised road runner, AOL, etc accounts all the goddamn time. Most of these can be caught if you crank down the filter's tolerance for mail but then you deal with a lot more false positives. Email phishing is becoming incredibly hard to stop and its one of the areas I think infosec is having the worst time keeping up with the bad guys. Too much of it requires users to know how to read email now and critical information is obscured as you said. I think "From:" as a separate modifiable field needs to be completely removed from the email standard. Too many malicious bodies have realized that infosec is quite capable of keeping up with infection based attacks and have now switched to targeting the one thing infosec can't fix: user ignorance. Digital_Jesus fucked around with this message at 16:51 on Apr 22, 2019 |
# ? Apr 22, 2019 16:39 |
|
Old Binsby posted:eh you're right. Searching for the MailItemsAccessed operation is the replacement. That also yields blank subject line entries in the output? Yes it does. In fact, it contains TONS of blank fields. DestFolderId DestFolderPathName FolderId FolderPathName FolderName MemberRights MemberSid MemberUpn SourceItemIdsList SourceItemSubjectsList SourceItemAttachmentsList SourceItemFolderPathNamesList SourceFolderPathNamesList SourceItemInternetMessageIdsList ItemId ItemSubject ItemAttachments ItemInternetMessageId DirtyProperties
|
# ? Apr 22, 2019 16:42 |
|
Sickening posted:Yes it does. In fact, it contains TONS of blank fields. very strange. It might be worth contacting MS directly because it smells like a bug. Last thing that comes to mind is checking whether the stuff you're looking for is logged in the mailbox audit logs at all (get-mailbox X | fl *audit*) and whether you have the correct role group assignments, Check the Discovery/Records group, maybe their move to their own portal broke something. Low hanging fruit, maybe someone else has an idea
|
# ? Apr 22, 2019 16:58 |
|
Sickening posted:Okay folks, one of my teams has turn into a problem which we haven't found an resolution to yet. Here is the scenario... You can do what you want with EWS + powershell. It's fairly involved so it if you want to learn it the turn around may be longer than what your company would like. I didn't find anything that does exactly what you want from some quick googling, but theoretically you would pull in the mailbox that was compromised, iterate through every folder, filter for messages with a matching message-id, and return the pertinent details.
|
# ? Apr 22, 2019 21:04 |
|
Will Styles posted:You can do what you want with EWS + powershell. It's fairly involved so it if you want to learn it the turn around may be longer than what your company would like. I found that too. That is probably going to be my last ditch effort. This should be an easily searchable thing, especially since they are assigning the message ids.
|
# ? Apr 22, 2019 21:12 |
|
Actually just found this: https://gist.github.com/bill-long/09545eae085f9da0886b All you'd need to do is alter the search criteria to be based on message IDs instead of subject. code:
|
# ? Apr 22, 2019 22:06 |
Anyone have any ideas how to query when a retention policy was set on a mailbox?
|
|
# ? Apr 26, 2019 13:04 |
|
Submarine Sandpaper posted:Anyone have any ideas how to query when a retention policy was set on a mailbox? the admin audit log will show that unless you have that log recycle after X days and it happened before then. In o365 I set it at forever first thing. The command to look for should be set-mailbox with an argument Retentionpolicy used
|
# ? Apr 26, 2019 14:19 |
|
Sickening posted:I found that too. That is probably going to be my last ditch effort. thought about this a little more because it’s weird and i forgot to ask: when you download the audit data from the mailbox as XML, is that half-empty too/is it even available for downloading ?
|
# ? Apr 26, 2019 14:25 |
|
Old Binsby posted:thought about this a little more because it’s weird and i forgot to ask: when you download the audit data from the mailbox as XML, is that half-empty too/is it even available for downloading ? I didn't even go down that path. When I search the audit logs, i pipe it into a csv.
|
# ? Apr 26, 2019 18:09 |
|
Sickening posted:I didn't even go down that path. When I search the audit logs, i pipe it into a csv. definitely preferable to diy xml mangling. I like out-gridview sometimes too i asked out of curiosity only , not applicability per se. Your EWS search looks like it should do the trick probably. Did it? that xml file is a fairly direct/uninterpreted way of checking whether exchange is even making the records properly. if it does, a report/search coming up empty is permissions or powershell mishaps, if not, something serious is wrong or you actually didn’t have it enabled the way you think you did.
|
# ? Apr 26, 2019 18:25 |
|
Old Binsby posted:definitely preferable to diy xml mangling. I like out-gridview sometimes too I am not doing ews fuckery until I am forced to. Right now I have scripts ready to created mailbox rules to make copy of emails with certain message id's in the header so these folks can see what email was read at their leisure. I am ready to be done with it.
|
# ? Apr 26, 2019 18:30 |
I may be blind but this came on my plate this morning and I cannot find explicit documentation stating whether or not an administrative search-mailbox -subject "blah" -deletecontent -searchdumpsteronly will actually remove the item for a user on litigation hold?
|
|
# ? May 9, 2019 15:51 |
|
|
# ? Jun 5, 2024 04:33 |
|
Submarine Sandpaper posted:I may be blind but this came on my plate this morning and I cannot find explicit documentation stating whether or not an administrative search-mailbox -subject "blah" -deletecontent -searchdumpsteronly will actually remove the item for a user on litigation hold? Holy poo poo, that is a great a question. I would hope that it wouldn't. I would also not be shocked that it does nothing but override retention policies.
|
# ? May 9, 2019 16:21 |